Risky Business: When Governments Do Not Attribute State-Sponsored Cyberattacks

Kristen Eichensehr is an Assistant Professor at UCLA School of Law, an affiliate scholar at the Center for Internet and Society at Stanford Law School, and a term member of the Council on Foreign Relations.

In the presidential debate last week, Hillary Clinton cited Russia’s responsibility for the hack of the Democratic National Committee (DNC). Two weeks ago, Senator Diane Feinstein and Congressman Adam Schiff released a statement explaining, “Based on briefings we have received, we have concluded that the Russian intelligence agencies are making a serious and concerted effort to influence the U.S. election.” Despite these statements and Crowdstrike’s accusations against Russia, the executive branch has not officially attributed the DNC intrusions to Russia.

In the absence of official attribution by the U.S. executive branch, private cybersecurity companies are playing the role of accusers of foreign governments. The DNC compromise is not the only case like this. Take the 2015 Office of Personnel Management breach. The executive branch has not formally identified the perpetrators of that intrusion either, but Crowdstrike has accused Chinese government-affiliated hackers.

Casting private companies in the role of accusers has some benefits, but relying on private attributions to the exclusion of official attributions may create some underappreciated risks for the United States.

On the plus side, attributions by private companies have fostered transparency: the companies publicly announce their findings and release reports—often quite detailed ones—about their evidence. Other companies and researchers can then independently evaluate the evidence and confirm or dispute the attribution. That double-checking process confirmed Crowdstrike’s attribution of the DNC hack to Russia. Attribution by companies can also put foreign government-sponsored hackers on notice that their actions are traceable, potentially deterring or at least slowing further intrusions.

U.S. government officials have praised private attributions and suggested they are useful to the government. Secretary of Defense Ash Carter said in a 2015 speech that attribution of cyberattacks has improved “because of private-sector security researchers like FireEye, Crowdstrike, HP—when they out a group of malicious cyber attackers, we take notice and share that information.” Moreover, private companies’ attributions ensure that foreign governments are accused of bad behavior, without the U.S. government having to do the accusing and bearing whatever diplomatic costs might follow.

But aside from these apparent benefits, reliance on private attributions to the exclusion of governmental accusations could be problematic for the U.S. government going forward.

First, the speed and detail of private companies’ attributions can make the government seem slow and overly cautious. This perception is heightened when government sources anonymously confirm to journalists that the government believes a foreign state is behind an attack—as government sources have with respect to the DNC hack—but the government continues to refrain from an official accusation. The absence of an official attribution may tend to foster ongoing questioning about the source of intrusions.

Another risk is that private companies are shaping expectations about the evidence needed for attributions. Think of this as a “CSI effect” whereby the portrayal of high-tech forensic investigation on television shows like CSI causes jurors in actual criminal trials to have unreasonable expectations about the amount and nature of evidence that should be presented. The cybersecurity equivalent is that private companies’ transparency about the evidence supporting their attributions of attacks to foreign governments may shape expectations about the evidence that the government should put forth when it makes similar accusations.

The “CSI effect” may have been at play in response to the FBI’s attribution of the Sony Pictures hack to North Korea. The FBI initially gave a high-level description of the evidence supporting its attribution, but was met with skepticism from the security community. To address continued questioning, FBI Director James Comey provided a somewhat more detailed description of the FBI’s evidence a few weeks later. The prevalence of detailed private attributions may be setting expectations for attributions that the government cannot match without compromising sources and methods that it needs to preserve, and absent detailed evidence, its attributions may seem less credible to security researchers.

The evidentiary standards matter not just as between the private sector and the government domestically, but also between countries. There is not yet settled state practice about the nature or amount of evidence that a state should put forth in accusing another state of a cyberattack. The U.N. Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security—a group that includes the United States, Russia, and China, among other countries—touched on the evidentiary issue in passing in a 2015 report. The report notes that “accusations of organizing and implementing wrongful acts brought against States should be substantiated” (para. 28(f)). Substantiated how or with what type of evidence, the report doesn’t say.

The United States has an opportunity to shape evidentiary norms about attribution, but to do so, it will need to make official accusations. To be sure, the stakes are high for official attributions. They have to be right, and accusations raise expectations that the government will take other responsive actions, like imposing sanctions (as in the Sony case) or filing criminal charges (as the United States has done with respect to hackers linked to China and Iran).

But the stakes are also high if the U.S. government sits out public attributions. If the United States does not officially attribute state-sponsored cyberattacks and cedes the field to private companies or other states, it risks losing control of both the narrative about particular cyberattacks and the evolving evidentiary norms. Instead, the norms may be influenced by the practices of private companies, whose reports may create a baseline that governments will have difficulty matching, or they may be set by the practice of other countries that are more forthcoming about official accusations.

Especially in instances where cyberattacks involve important values, like freedom of expression or electoral integrity, the United States should find a way to make substantiated, public attributions. Silence carries its own risks.